Chainfire SuperSU for Android contains a flaw that leads to unauthorized privileges being gained. The issue is due to the to get_command() returning COMMAND unescaped, which may allow a local attacker to inject arbitrary commands. This will allow the attacker to more easily gain elevated privileges.